Linux server security?

[BillEssley]

Hey there,

How can I make my Linux box (cPanel/WHM installed on my VPS) more secure?

Do you guys share any tips?

Thanks,

Bill

 

[Localnode]

A good start is installing and configuring CSF - ConfigServer Security & Firewall. Configure cPHulk Brute Force Protection. Rootkit hunter.
Changing SSH port is also another good thing. Making sure the root password is long and obscure. Securing Apache, hardening PHP... the list goes on.

This guide should help somewhat - [URLnofo]http://www.whmsecurity.com/whm/how-to-whm-server-hardening-and-security-basics[/URLnofo]
And this one: [URLnofo]http://www.webhostgear.com/cid_6.html[/URLnofo]

I'd highly suggest getting someone to harden it for you if this is a production environment, as asking on a forum is generally a good indication that you don't know how
Keep in mind hardening isn't a fire and forget thing - you need to update these things regularly. Whenever there is a security hole - patches are released fairly quickly - you need to keep on top of such things.

 

[ProxyRadar]

First of all - change your SSH port, disable services that you don't use, install all package updates, install and configure Fail2Ban, it will help you to prevent brute force attacks, analyze your web server logs on a regular basis to detect and to suppress suspicious activities.

 

[BountySite]

[URLnofo]http://www.whmsecurity.com/whm/how-to-whm-server-hardening-and-security-basics[/URLnofo] is good

My 2 cents:-
- Stop unwanted network services from startup
- Allow set of ips in firewall for ssh or run ssh on different port with set of ips allowed. You ISP network range /16 or /24
- Configure OUTPUT firewall chain, to only allow ESTABLISHED state traffic. Log & drop other requests. Make sure you dont lock yourself out
- grsecurity definitely helps in memory overflow exploits
- Check for overlayfs kernel module. Disable the module, if running. I recollect it is vulnerable
- Disable ssh root login. Login as normal user(UID>500/1000). Sudo to root with password
- You can checkout Duo security 2FA for ssh login
- Make sure you keep all your applications updated regularly
- Ensure that your CMS is updated regularly
- If using wordpress, consider using plugins like wordfence, succuri, 6scan, All in One WP Security & Firewall

Remember that security is a practice.

 

[BillEssley]

A good start is installing and configuring CSF - ConfigServer Security & Firewall. Configure cPHulk Brute Force Protection. Rootkit hunter.
Changing SSH port is also another good thing. Making sure the root password is long and obscure. Securing Apache, hardening PHP... the list goes on.

I have ever not heard of this before, which ports should I allow to open and how to change SSH port?

My 2 cents:-
- Stop unwanted network services from startup

- Allow set of ips in firewall for ssh or run ssh on different port with set of ips allowed. You ISP network range /16 or /24

- grsecurity definitely helps in memory overflow exploits

- Check for overlayfs kernel module. Disable the module, if running. I recollect it is vulnerable

- Disable ssh root login. Login as normal user(UID>500/1000). Sudo to root with password

Too much useful info for this answer.

Can you elaborate these steps on how to do them?

AND

I read your article from your link

php.ini & disabled functions
Edit php.ini like this:

nano /usr/local/lib/php.ini

safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

Then restart Apache

service httpd restart

Or you can edit php.ini via WHM:
WHM – Service Configuration – PHP Configuration Editor

IF I disabled these functions, it can affect to my CMS or OS works?

 

[radwebhosting]

radwebhosting

I recommend asking your provider to assist you with this task. Let their support team handle it.

 

[BountySite]

- Changing ssh port
/etc/ssh/sshd_config

Port 22

Restart ser
- Find running network services (either of the following commands)
ss -nlp
netstat -nlp

Stop services using
service <service_name> stop

Remove from startup using update-rc.d or chkconfig

- Allow your ISP subnet in firewall for ssh
Port scanning sometimes can reveal ssh ports. Using high port range for ssh, can also be a good idea.

- Overlayfs vulnerability can help unprivileged user to gain root access.
[URLnofo]http://securitytracker.com/id/1034548[/URLnofo]

Ah! Ubuntu has issued a fix for 15.10/15.04 server. Overlayfs module is/was enabled by default(least on Ubuntu), which helps in merging mounts to existing directory of files.

Disable kernel module by adding "blacklist <module_name>" in /etc/modprobe.d/<name>.conf


- Disable root login
/etc/ssh/sshd_config

PermitRootLogin no

- Password sudo
Login in as any other user than root, and sudo to root, using password. Users have a bad habit of not keeping sudo password.

Edit /etc/sudoers using visudo
=> use PASSWD, instead of ALL/NOPASSWD. Refer manual.

 

[Mike_Brown]

By secure, do you mean prevent unauthorized access? If so there is several techniques you can use to accomplish this.
1. Change your SSH port from the default. Hackers always port 22 first when attempting to hack their way into a Linux machine.
2. Only allow logins from trusted IP's. It is a much more complete solution to add a white list rather than a black list, if you can. This can be done via the SSH configuration file.
3. If you're using MySQL, be sure to escape your queries and never allow for non-escaped user input into a query.

There is an endless list of things you can do to better secure your machine but remember, you are only as strong as your weakest link.

 

[Web Marketing Tool]

- Use sFTP and disable FTP
- Make sure MySQL has the anonymous user and test database removed (your can use mysql_secure_installation if it is a new setup)
- Also, be sure the root mysql user has a password assigned.
- Make sure you have a firewall setup (you can use iptables)
- Block offending countries if possible. For example, if 100% of the purchases from your site comes from USA then block China and other high risk countries.
- Change your passwords frequently.
- If hiring freelancers give them their own account for login (database, ftp, any password you give them) and delete their account once it is no longer needed.
- If hiring freelancers be careful who you hire and try to not jump around between a lot of contractors (as each person is a risk they might do something malicious to your site to steal something without you knowing).
- Make sure your browser you use doesn't have a virus (I've seen viruses that inject hidden html code when using WYSIWYG editors)
- If using WordPress only install trusted plugins and only what you need. Don't install stuff and leave it there and never use it.
- Make sure you do updates to your server several times a year.

 

[BillEssley]

BillEssley

Can you elaborate on thsese points? Why FTP is less secure than sFTP ?
and using iptables is enough for secure my Linux without installing other firewall software?

 

[Waqass]

I got my vps hacked...Can anyone provide the basic things I need to run my vps and stop it getting from hacked..I am running a Cpanel/WHM on it with reseller option but linux security is new to me.

 

[HM-Mike]

I got my vps hacked...Can anyone provide the basic things I need to run my vps and stop it getting from hacked..I am running a Cpanel/WHM on it with reseller option but linux security is new to me.

Firstly you need to find out exactly how or why it got hacked, without that you'll be fighting a losing battle. You can try running a malware scan through the files, I tend to use Malware Detect;

Login as root and do the following;

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxf maldetect-current.tar.gz
cd maldetect-*
sh install.sh

Once you've done this, you can run it. For a cPanel server, I would run the following (unless you know the site that got hacked to begin with);

maldet -a /home/?/public_html/

If you know which site was hacked then do the following (this will heavily shorten the scan if you have a lot of files);

maldet -a /home/USERNAME/public_html/

Another option to reduce the time taken to scan is to install ClamAV, you can do this in WHM under the CPAddons section.

Overall, this program will produce a report with any suspicious looking files which you can then investigate and fix/replace and harden. A web developer would be a good asset in sad times like these.

Hope this helps!

Thanks,

Mike

 

[harrygreen90]

harrygreen90

In the past I had a WP site that got malware, I scanned it with sucuri or other WP plugins and they could detect files or where was been infected with spyware/malware/virus. I could use same tools like you suggested to install on the VPS but it scanned very long or didn't find any infected files.

In this case, I think do a fresh install for your VPS and Wordpress can solve the problems. After re-installed latest versions of software on the VPS, we can do some actiction to protect hackers from rehacking it by some configurations like:
- Secure Php with php's disable_functions
- Install a firewall.
- Enable SSL/https for your sites

Hope it helps!

 

[JonaHost]

Start with Config Server Firewall

Installation
============
Installation is quite straightforward:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

 

[Waqass]

Waqass

Well I searched a lot and did the following things and still so far not a single attack.

did a fresh install of VPS
installed CFS...yeah you recommended it but accidently found it at other places duly recommended by the CPanel team also....helped in securing alot of vulnerabilities.
Also disabled root login,password login...though same was instructed by CFS. Then a one or two little more tweaks i found on internet.
Also install anti rootkit, calmAV and secured accounts using jailshell. Well i think I have secured the server to the best of my knowledge but hay even NASA's server get hack so you can are never safe only you can minimize the chances of being targeted to the script kiddies trying to get their hands on un secure VPS.

 

[serversupport]

CSF firewall installed and configured.
Mod Security "OWASP ModSecurity Core Rule Set" and configured.
ClamAV Anti Virus installed and Configured and integrated with exim.
Maldet installed and configured.
Lockdown & Hardening the Root Password.
SSH Port secured
Noexec, Nosuid Temporary Directories (noexec Directories such as /tmp, /var/tmp, /dev/shm
Security Updates as per Control Panel.
Disabled Unwanted Services
DNS Secured
Securing and Optimizing MySQL.
Enable PHP Open_Basedir Protection
Enable mod_userdir Protection
Securing Console Access
PHP5 Hardening (Only, No PHP4)
Configuring Anti-Spam Features to Reduce Spam ( Enable RBL ACLs, SPF Protection, & Spam Assassin Configurations )
Apache tweaked and haredend.
sysctl.conf Hardening.
Host file hardened.
Rkhunter installed and configured.
Chkrootkit installed and configured.
Fail2Ban installed and configured.
Shell Fork Bomb Protection
Background Process Killer

 

[onliveserver]

There are some utilities that's follow on the server.
1. Installing and configuring CSF
2. Configure cPHulk Brute Force Protection
3. Rootkit hunter.
4. change SSH port ans also secure password of root
5. Stop unwanted network services from startup
6. Disable ssh root login via Sudo
7. Make sure you keep all your applications updated regularly
8. Ensure that your CMS is updated regularly(wordfence-> succuri, 6scan, All in One WP Security & Firewall)

 

[Waqass]

I have vps from popular companies. How can I know what methods they have employed to secure their dedicated servers?

 

[gmanon]

It all depends from what or whom you want to protect it. Linux has such a wide range of security tools

If it's from internal users, administrators, or external users or from attacks that you want to protect your pannel?

Proper use of Permissions, proxies and firewalls are good for internal users and internal networks as well as webserver access files and server passwords.

Never keep database configuration inside your Document Root. Specify base URL.


Configure
Hosts.allow; hosts.deny
Use SSL for every possible server accessed from outside.
Close all unnecessary ports
If a process or service do not need to turn on at boot up time, turn it on manually when you needed or write a script to do so.
Use proxy for the webserver, sftp or ssh. If you log from windows use putty. Use encryption for you storage if possible and for scripts with passwords and login information.
Configure your IPTables.
Protect your cache when using combination of server-client technology like AJAX.

 

[BenSupportSages]

You can make your server secure by taking care of the following factors.
Use secure passwords
Secure SSH
Secure Apache
Harden your operating system
Restrict your system’s compilers
Disable unused services and daemons
Monitor your system
Control access to services by IP Address
Enable a firewall
Stay up-to-date

 

[macfanpl]

Harden your install.

1. Change SSH port,
2. Make your drives map-resistant (many deceitful software vendors will do their best to map /dev/sda and so on),
3. Install fail2ban and configure it to disallow all incoming traffic at the same time allowing all outgoing.
4. Follow simple rule :: the less there is on your harddrive the better; install what you really need only. Stay away from spies like KDE, Mozilla, Qt and alike. Do your research before installing not after

 

[arindamb]

arindamb

What is the effect of change ssh port? I have never heard about drives map-resistant? what is it?

 

[Server Trafficweb]

The first thing you should do to secure your server is to update the local repositories and upgrade the operating system and installed applications by applying the latest patches.

 

[hostguy]

Its very important to secure secure server, there are various steps available to secure server.

• Install CSF (Config server firewall)
• You can change default SSH port and use any other port number. Default SSH port is 22.
• Check your PC for any malware and do not save any password in browser.
• Enable Brute force protection.